Apple’s massive ‘goto fail’ fixed in iOS, but not in OS X

Late last week, Apple issued a patch for iOS, the mobile operating system powering iPhones, iPads and iPod Touch devices. The update fixed a security issue that is extremely serious – a flaw in Apple’s implementation of SSL, the encryption used to access the Internet.

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

In other words, anything you send across the Internet could be intercepted or changed. Your communications are compromised without the patch.

I know a lot of people delay or even ignore operating system updates, but doing so now will put you at serious risk. Apple made the patch available for those running iOS 7 and iOS 6.1. There’s even a patch for the version of iOS running on Apple TV. Use the software update on these devices to fix the flaw ASAP.

The flaw was caused by a single error in what’s known as a “goto” call. In programming, goto directs action from one place to another in the code. In this case, the error directs the program to go around the authentication system. Generally, using goto is considered lazy programming, and this issue makes it clear as to why.

If you want to check whether your device is vulnerable, you can visit the gotofail.com website using Apple’s Safari browser. If you device is not protected, you’ll get a warning to that effect.

You will note that the above screenshot was not taken on an iOS device – it was grabbed via Safari on a Mac running OS X Mavericks, Apple’s latest desktop operating system. While Apple may have patched its mobile devices, it has yet to do so for the Mac OS.

That’s probably because the issue is pervasive across multiple OS X apps, and not just Safari. Forbes reports that a researcher has discovered the flaw affects many of the programs that come with the operating system:

On Sunday, privacy researcher Ashkan Soltani posted a list of OSX applications on Twitter that he says he’s determined use Apple’s “secure transport” framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL. The full list, which isn’t comprehensive given that Soltani only analyzed the programs on his own PC, is shown below. (Soltani has underlined the vulnerable application names in red.)

Among the OS X apps affected: iMessage, Facetime, Mail, iBooks and more. Even Software Update – which OS X uses to update itself – is compromised. That means, in theory, an attacker could spoof an update to the operating system laced with malicious code.

There has been some speculation online that this programming error was introduced deliberately, perhaps by the NSA, because it would allow unencumbered snooping.John Gruber at Daring Fireball notes that the flaw first appeared in iOS 6, and that documents released by Edward Snowden indicate Apple was “added” to the NSA’s PRISM program a month after that release. Gruber’s skeptical that it was introduced by the NSA, but it’s very possible that the agency was taking advantage of it. I’ll buy that.

Regardless, if you use iOS devices and you have not patched, do so now. And if you’re a Mac user, keep an eye out for a fix for OS X, and update as soon as it’s available. In the meantime, you may want to use another browser other than Safari, and use a web based interface for your email until it’s fixed.